Re: ISE/WIFI - 802.1x with machine certificate and user credentials

Kevin Huether · ‎07-22-2021

Hello everyone,

i need help with the wireless configuration on the WLC/ISE/AD GPO of one of our customers.

Currently we are using machine and user authentication with PEAP and it works fine, I can see the machine authentication when the notebook is booted as well as the user authentication when i login to windows.

Now we want to change the machine authentication to certificate based since the customer got an own CA (they only have machine certs, no user certs). The certificates are enrolled and i change the policies on ISE and the GPO, but it doesnt work.

Right now I am not sure wether I miss something or if its not possible to combine machine cert with user credentials.

Can you help me with this?

WLC: 5520 running AireOS v8.10.151.0

ISE: v2.4.0.357

Clients: Windows 10 Notebooks

Supplicant: Windows builtin

Thank you in advance!

Best regards,

Kevin Hüther

Arshad Safrulla · ‎07-22-2021

Did you completely move to eap-tls or you are going to do certificate validation on eap-peap? eap-tls support only machine and eap-peap only user.

If u want both user and machine to be authenticated you need to deploy eap-teap. If you are to go ahead with eap-teap please run it on a test bed first then take it to the production as there could be some compatibility issues. If not consider using anyconnect as this will give you more options.

also what does the ISE logs reveal for a failed instance?

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla